Access management apparatus, non-transitory computer readable medium, and access management method

ABSTRACT

An access management apparatus includes: a memory storing data; and a processor configured to manage an access of a user to the data in accordance with a confidentiality score of the data and a reliability score of the user.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based on and claims priority under 35 USC 119 fromJapanese Patent Application No. 2021-148482 filed Sep. 13, 2021.

BACKGROUND (i) Technical Field

The present disclosure relates to an access management apparatus, anon-transitory computer readable medium, and an access managementmethod.

(ii) Related Art

Collaborative work and outsourcing are now beginning to be in widespreaduse. In the collaborative work, multiple companies (or individuals orprivate businesses) perform a project in cooperation with each other. Inthe outsourcing, one company arranges for another company to do work.Ways of business involving multiple entities including the collaborativework and outsourcing hereinafter referred to as collaboration.

The collaboration of one company and a free-lancer (or outside worker)may now be considered. From the standpoint of information security,access of the free-lancer to in-house data owned by the company may berestricted. On the other hand, from the standpoint of collaboration,restriction of the access of the free-lancer to the in-house data maylead to slowing down business progress and removal or alleviation of therestriction may be performed.

Confidentiality of the in-house data to be accessed by the outsideworker may be at a variety of levels. Reliability of the outside workersrequesting the access to the in-house data may also be at a variety oflevels. In accordance with relative relationship between the in-housedata and the outside workers, the accessing to the in-house data may beadaptively and individually managed. The same is true of the case inwhich persons in the company access the in-house data.

Japanese Patent No. 4719420 discloses a system that grants access todata in accordance with an approval of an administrator. However,Japanese Patent No. 4719420 does not disclose a mechanism that takesinto consideration a combination of data and users.

Confidentiality of data serving as an access target is various.Reliability of users (workers) requesting to access the data is alsovarious. If the access of the users to data is uniformly granted,information security may not be guaranteed. On the other hand, if theaccess of the user to the data is uniformly denied, accessing that maybe performed in business is not ensured. Both cases may presentdifficulty in keeping up or promoting the collaboration or group work.

SUMMARY

Aspects of non-limiting embodiments of the present disclosure relate toproviding a mechanism that manages the access of a user to data inaccordance with confidentiality of the data and reliability of the user.

Aspects of certain non-limiting embodiments of the present disclosureaddress the above advantages and/or other advantages not describedabove. However, aspects of the non-limiting embodiments are not requiredto address the advantages described above, and aspects of thenon-limiting embodiments of the present disclosure may not addressadvantages described above.

According to an aspect of the present disclosure, there is provided anaccess management apparatus including: a memory storing data; and aprocessor configured to manage an access of a user to the data inaccordance with a confidentiality score of the data and a reliabilityscore of the user.

BRIEF DESCRIPTION OF THE DRAWINGS

Exemplary embodiment of the present disclosure will be described indetail based on the following figures, wherein:

FIG. 1 is a block diagram illustrating a first configuration example ofan access management apparatus;

FIG. 2 illustrates an example of a confidentiality score grantcondition;

FIG. 3 illustrates an example of a confidentiality score table;

FIG. 4 illustrates an example of a reliability score grant condition;

FIG. 5 illustrates an example of a reliability score table;

FIG. 6 illustrates an example of an access right management table;

FIG. 7 is a flowchart illustrating an process example of the accessmanagement apparatus;

FIG. 8 is a block diagram illustrating a second configuration example ofthe access management apparatus;

FIG. 9 is a conceptual view of an access management method;

FIG. 10 is a flowchart illustrating a process example of the accessmanagement apparatus illustrated in FIG. 8 ;

FIG. 11 is a flowchart illustrating a process when a first specialcondition is applied;

FIG. 12 is a flowchart illustrating a process when a second specialcondition is applied;

FIG. 13 is a flowchart illustrating a process when a third specialcondition is applied;

FIG. 14 is a block diagram illustrating a third configuration example ofthe access management apparatus;

FIG. 15 illustrates a display example of monitoring information;

FIG. 16 illustrates an effective period of the access right; and

FIG. 17 illustrates a modification of a measure responsive to adifference.

DETAILED DESCRIPTION

Exemplary embodiment of the disclosure is described below.

(1) Overview of Exemplary Embodiment

An access management apparatus of an exemplary embodiment includes amemory and a processor. Data is stored on the memory. The processormanages an access of a user to the data in accordance with aconfidentiality score of the data and a reliability score of the user.

The access of the user to the data may be managed in accordance with amagnitude relation of the confidentiality score of the data and thereliability score of the user. Specifically, to grant the access to thedata, a higher reliability score may be used as a confidentiality scoreof the data is higher, and a lower reliability score may be used as theconfidentiality score of the data is lower. When an outside workeraccesses in-house data in collaboration with a company and the outsideworker who does not belong to the company, the configuration describedabove may efficiently work. Even when a user belonging to the companyaccesses the in-house data, the configuration may also work.

The confidentiality score of the data signifies a criterion or rankindicating how much the data is to be kept secret. The confidentialityscore is thus a confidentiality level. The confidentiality score may beautomatically determined in accordance with data contents, data name,and data attributes or may be specified by a score granter. Thereliability score of the user signifies a criterion or rank indicatinghow much the user is reliable. The reliability score is thus areliability level. The reliability score of the user may beautomatically determined in accordance with an organization to which theuser belongs, the position of the user in the organization, and theuser's achievement, etc. or may be specified by the score granter.

According to the exemplary embodiment, the processor grants the user anaccess to the data if the confidentiality score and reliability scoresatisfy a basic condition. For example, if the reliability score isequal to or above the confidentiality score, the basic condition issatisfied. If a special condition is satisfied with the basic conditionunsatisfied, the processor is configured to grant the user the access.The processor is configured to grant the user the access based on theassumption that information security is increased with the specialcondition satisfied. The basic condition is a principle condition thatis to be satisfied to grant the access to the data. The specialcondition is an exceptional condition that is to be satisfied even withthe basic condition unsatisfied when the access to the data is to begranted. Both information security and information accessibility may beensured by applying the basic condition and special condition in astepwise manner.

Several conditions may be contemplated as special conditions. Forexample, a first special condition is that the user and a personconcerned are in the same compartment. If the person concerned isexpected to monitor the user, the user may be granted the access to thedata. A second special condition is that additional authentication isestablished with the user in addition to the establishment of the basicauthentication. The establishment of double authentications signifies alower possibility of spoofing. In view of this, the user is granted theaccess to the data. A third special condition is that the access of theuser to the data is approved by an approver belonging to the company. Bycombining the automatic approval and personal approval, workloadinvolved in approval may be reduced and the information security may beensured.

According to the exemplary embodiment, the processor is configured toapply a monitoring measure to monitor the access of the user when theaccess of the user to the data is granted. For example, the processor isconfigured to, as the monitoring measure, generate monitoringinformation indicating the access of the user to the data and providethe monitoring information to the person concerned. Specifically, theprocessor is configured to report monitoring results. Access monitoringmay increase the information security by psychologically influencing theuser.

According to the exemplary embodiment, the processor is configured tocalculate a difference between the confidentiality score and reliabilityscore and modify, in accordance with the magnitude of the difference,the contents of the measure that is applied to manage the access of theuser to the data. The difference between the confidentiality score andreliability score indicates a relative relationship between theconfidentiality score and reliability score (also may be referred to asa magnitude relationship). If the contents of the measure managing theaccess in response to the relative relationship are modified, flexibleaccess management adapted to the situation may be performed.

A program performing an access management method of the exemplaryembodiment may be installed onto an information processing apparatus viaa removable storage medium or via a network. The program is stored on anon-transitory computer readable medium in the information processingapparatus. The concept of the information processing apparatus includesan access management apparatus, computer, and server. The informationprocessing apparatus may include multiple computers.

(2) Detail of Exemplary Embodiment

FIG. 1 illustrates a first configuration example of an access managementapparatus 28. The access management apparatus 28 corresponds to part ofan information processing system 10A arranged in a company 10.Alternatively, the access management apparatus 28 may be external to thecompany 10. For example, the access management apparatus 28 may beconfigured as a cloud server.

An information processing system 10A is connected to external terminalapparatuses 14 and 16 via a network (such as the Internet) 12. Each ofthe external terminal apparatuses 14 and 16 includes a computer servingan information processing apparatus and includes a processor, an inputunit and a display.

In the information processing system 10A, an in-house network 18connects to in-house terminal apparatuses 20 and 22, storage 24, andaccess management apparatus 28. Each of the in-house terminalapparatuses 20 and 22 is a computer serving as an information processingapparatus and includes a processor, an input unit, and a display. Thestorage 24 is a recording medium and serves as a file server. Thestorage 24 stores files Fa and Fb as in-house data. According to theexemplary embodiment, each of the files Fa and Fb is data serving as amanagement target and includes, for example, document data, image data,and table data. The storage 24 may include multiple recording media.

The access management apparatus 28 includes a processor 30 and a memory32. The processor 30 includes, for example, a central processing unit(CPU) executing a program. The memory 32 is a semiconductor memory, harddisk drive, or the like. The access management apparatus 28 is aninformation processing apparatus. The access management apparatus 28 mayinclude multiple computers.

Referring to FIG. 1 , multiple blocks represent multiple functionsperformed by the processor 30. Specifically, the processor 30 functionsas a confidentiality score determiner 34, reliability score determiner36, and access manager 38. The memory 32 stores a confidentiality scoretable 40, reliability score table 42, and access right management table44.

The confidentiality score determiner 34 determines a confidentialityscore of each piece of data serving as an access management target. Theconfidentiality score corresponds to a confidentiality level. Accordingto the exemplary embodiment, a specific confidentiality score isselected from five levels of the confidentiality scores and is grantedto the data. Specifically, the five-level confidentiality score rangesfrom a confidentiality score 1 to a confidentiality score 5. Theconfidentiality score 5 is at the highest confidentiality level. Adetermination rule of the confidentiality scores is described below.Alternatively, the number of levels for the confidentiality scores maybe four or less or six or more. According to the exemplary embodiment,the confidentiality scores determined by piece by piece of the data areregistered in the confidentiality score table 40. When a file is storedon the storage 24, the confidentiality score of the file may bedetermined.

The reliability score determiner 36 determines the reliability score ofeach user serving as a target grantee of an access right. Thereliability score corresponds to a reliability level. According to theexemplary embodiment, a specific reliability score is selected fromfive-level reliability scores and is granted to the user. Specifically,the five-level reliability score ranges from a reliability score 1 to areliability score 5 and the reliability score 5 is at the highestreliability level. A determination rule of the reliability score isdescribed below. Alternatively, the number of levels of the reliabilityscore may be four or less or six or more. According to the exemplaryembodiment, the reliability score determined on a per user basis isregistered in the reliability score table 42. The user is typically aworker who requests the access to (or refers to, or acquires) the data.

The access manager 38 manages the access of the user to the data.Specifically, in accordance with the relative relationship or themagnitude relationship between the confidentiality score of the data andthe reliability score of the user, the access manager 38 determineswhether to grant the user the access right.

In the first configuration example displayed in FIG. 1 , the accessmanager 38 grants the user the access right if the basic condition issatisfied. The basic condition is that the reliability score is equal toor above the confidentiality score to grant the access right.

In a second configuration example described below, the access manager 38grants the access right if the basic condition or the special conditionis satisfied. Specifically, if the special condition is satisfied evenwith the basic condition unsatisfied, the access right is granted. Insuch a case, the basic condition is a principal condition that is to besatisfied to grant the access right and the special condition is anexceptional condition to grant the access right. A determination as towhether the special condition is satisfied or not may be performed inthe first configuration example in FIG. 1 . The special condition isdescribed in greater detail below.

The access management apparatus 28 of the exemplary embodiment mayfunction effectively when a company and an outside worker (such as afree-lancer) not belonging to the company are in collaboration. In sucha case, a person in charge in the company requests the access managementapparatus 28 to grant the outside worker the access right. Referring toFIG. 1 , the person in charge is referred to as a grant requester. Thegrant requester transmits to the access management apparatus 28 a grantrequest using the in-house terminal apparatus 20. In response to thereception of the grant request, the access management apparatus 28determines a confidential rank and a reliability rank in accordance withdata and a user, identified by the grant request. If the basic condition(or the special condition) is satisfied, the access management apparatus28 issues the access right to the user. In such a case, the access rightis registered as data in the access right management table 44. Data,such as an access key or the like, may also be transmitted as the accessright to the user.

When a person belonging to the company accesses the in-house data, theaccess management apparatus 28 also functions. As described above, thecompany is an entity that owns the data serving as a management target(or an entity that manages the data). The concept of the companyincludes a variety of organizations, including a private business.Simply put, when a person belonging to an entity owning data and aperson not belonging to the entity cooperate to produce, edit, orprocess data, a determination as to whether to grant the access right ismade on a per worker (user) basis.

FIG. 2 illustrates an example of a grant rule of the confidentialityscore. A rule 46 illustrated in FIG. 2 includes five grant conditionsfrom a confidentiality score 5 to a confidentiality score 1. Inaccordance with the rule 46, the confidentiality score determiner 34 inFIG. 1 determines the confidentiality score.

Referring to FIG. 2 , an explicit grant action of a file creator of afile grants the confidentiality score 5. The file herein is data servingas a management target and the file creator is a data creator. If two ormore types of specific words are included in a file or a file name, theconfidentiality score 4 is granted. If one or more types of specificwords are included in the file or the file name, the confidentialityscore 3 is granted. If no specific word is not included in the file orthe file name, the confidentiality score 2 is granted. The explicitgrant action of the file creator grants the confidentiality score 1.

Specific words may include “confidential,” “secret,” “secretinformation,” and “handle with care.” A word collection may beregistered by an administrator. The confidentiality score may bedetermined in accordance with the attribute of the file, the attributeof the file creator, and the attribute of a folder storing the file. Theconfidentiality score may be determining by calculating an average valueof or by finding a maximum value of automatically determined tentativeconfidentiality scores and manually specified tentative confidentialityscores.

FIG. 3 illustrates an example of the confidentiality score tableillustrated in FIG. 1 . Referring to FIG. 3 , the confidentiality scoretable 40 is used to manage the confidentiality score granted on a perfile basis. If a given file has been granted a confidentiality score,the confidentiality score of that file is identified by referencing theconfidentiality score table 40. Alternatively, the confidentiality scoremay be determined again.

FIG. 4 illustrates an example of a rule 48 according to which thereliability score is granted. The rule 48 includes five grant conditionscorresponding to a reliability score 5 to a reliability score 1.According to the rule 48, the reliability score determiner 36 in FIG. 1determines the reliability score.

Referring to FIG. 4 , for example, a board member of the company isgranted the reliability score 5, a manager in the company is granted thereliability score 4, and a general staff is granted the reliabilityscore 3. Referring to FIG. 4 , a free-lancer as an outside worker isgranted the reliability score in accordance with the presence or absenceof the free-lancer's past business results. Specifically, if thefree-lancer has past business results, he or she is granted thereliability score 2 and if the free-lancer does not have past businessresults, he or she is granted the reliability score 1.

The reliability rank may be determined in accordance with informationthat has been acquired from an external system (such as a personnelsystem or a visitor system). For example, the reliability rank may bedetermined in accordance with information on the attribute and positionof the user. For example, the user may be granted the reliability rankin accordance with the role and position of the user in a project. Forexample, a person belonging to an organization in charge of a projectmay be granted a relatively higher reliability rank and a personbelonging to an organization participating in the project may be granteda relatively lower reliability rank.

FIG. 5 illustrates an example of the reliability score table 42 in FIG.1 . The reliability score table 42 is used to manage the reliabilityrank granted to each user.

FIG. 6 illustrates an example of the access right management table 44 inFIG. 1 . The access right management table 44 in FIG. 6 includesmultiple records 49. Each record 49 corresponds to a combination of auser and a file. Specifically, each record 49 includes information 50identifying a user, information 52 identifying a file, information 54indicating the presence or absence of the access right, information 56indicating a grant precondition, information 58 indicating an operationcondition, and information 60 indicating an effective period. The grantprecondition may be that the person is a participant of the project.Permitted operations may be restricted using the operation condition.For example, the permitted operations may be file reference or fileprinting and prohibited operations may be file overwriting or filedeleting. The effective period is a time period throughout which theaccess right is effective.

FIG. 7 illustrates a process example of the access management apparatusin the first configuration example. Referring to FIG. 7 , a specificin-house terminal apparatus (grant requester) is illustrated at theleft, an access management apparatus is illustrated at the center, and aspecific external terminal apparatus (target grantee) is illustrated atthe right.

In step S10, a request for an access right grant is transmitted from thein-house terminal apparatus to the access management apparatus. Therequest includes information identifying the data that is intended to beused by the target grantee and information identifying the targetgrantee. In step S12, the access management apparatus determines aconfidentiality score S of the data and also determines a reliabilityscore T of the target grantee.

In step S14, the access management apparatus determines in accordancewith the confidentiality score S and the reliability score T whether togrant the access right. If the basic condition is satisfied in the firstconfiguration example, specifically, relationship T≥S holds true, theaccess right is granted. In the second configuration example describedbelow, the access right is granted if the special condition is satisfiedeven with the basic condition unsatisfied.

If the access right is granted, the in-house terminal apparatus isnotified in step S16A that the access right has been granted and theexternal terminal apparatus is notified in step S16B that the accessright has been granted. The access management apparatus transmits anaccess key to the external terminal apparatus as appropriate. If theaccess right is granted, the external terminal apparatus is allowed toaccess a specific file in a storage.

If the access right is not granted, the in-house terminal apparatus isnotified in step S16C that the access right has not been granted and theexternal terminal apparatus is notified in step S16D that the accessright has not been granted.

FIG. 8 illustrates an access management apparatus 28A in the secondconfiguration example. Referring to FIG. 8 , like elements in FIG. 1 aredesignated with like reference numerals and the discussion thereof isnot duplicated.

An access manager 38A in the access management apparatus 28A includes aspecial condition application unit 62. In such a case as that theconfidentiality score and reliability score fail to satisfy the basiccondition, the special condition application unit 62 applies the specialcondition to determine whether the special condition is satisfied.

When the special condition is applied, biometric authenticators 14 a and16 a respectively mounted in the external terminal apparatuses 14 and 16are used or the access management apparatus 28A operates cooperativelywith an entry and exit management system 64.

Referring to FIG. 9 , the basic condition and special condition aredescribed. FIG. 9 illustrates an operation or process 38B performed bythe access manager 38A and an operation or process 62A performed by thespecial condition application unit 62 in the access manager 38A.

FIG. 9 illustrates a basic condition 66. Specifically, the basiccondition is “T≥S.” This is only an example of the basic condition. Ifthe basic condition is satisfied, an access right is granted asillustrated by reference numeral 72. If reliability at a certain levelor above is recognized on the data serving as a usage target, the accessto the data is granted. If reliability at the certain level or above isnot recognized, the access to the data is denied.

Reference numeral 68 denotes a precondition (application precondition)according to which the special condition is applied. If a difference (orgap) resulting from subtracting the confidentiality score S from thereliability score T falls within a range of −2 or greater and less than0, the special condition is applied as denoted by reference numeral 74.If the special condition is satisfied, the access right is granted.

From the standpoint of information security, the access to the data maybe granted as long as the basic condition is satisfied. On the otherhand, from the standpoint of information accessibility, the access tothe data may be granted as long as a certain level of informationsecurity is ensured even with the basic condition unsatisfied. Thespecial condition is set up to ensure the certain level of informationsecurity. As will be described below, examples of the special conditioninclude the satisfaction of additional authentication, the satisfactionof the same room condition, and the approval by an authorized approver.

As denoted by reference numeral 70, if neither the basic condition 66nor the application precondition 68 is satisfied and the specialcondition applied is unsatisfied, the access right is not granted asdenoted by reference numeral 76.

FIG. 10 illustrates the process of the access management apparatus inthe second configuration example. If the access management apparatusdetermines in step S20 that the access right is requested, a series ofoperations in step S22 and thereafter are performed. In step S22, theaccess management apparatus determines whether the access right for acombination of data and a user identified in response to the request ofthe access right grant has been registered. If the access right has notbeen registered, the process proceeds to step S24. If the access righthas been registered, the process ends.

In step S24, the access management apparatus determines theconfidentiality score S in accordance with the identified data anddetermines the reliability score T in accordance with the identifieduser. In step S26, the confidentiality score S is compared with thereliability score T. If the basic condition (T≥S) is satisfied, theaccess right is granted in step S32. If the application precondition(0>T−S≥−2) is satisfied in step S26, the special condition is applied instep S28. If the special condition is satisfied in step S30, the accessright is granted in step S32. If the access management apparatusdetermines in step S30 that the special condition is unsatisfied, theaccess right is not granted.

If neither the basic condition nor the application precondition issatisfied in step S26, specifically, if a condition (−2>T−S) issatisfied, the access right is not granted. If the access right isgranted, a notification indicating that the access right has beengranted is issued in step S34 and the access right is registered. If theaccess right is not granted, a notification indicating that the accessright has not been granted is issued in step S34 and a denial of theaccess right is registered. FIG. 10 illustrates an operation portion 62Bof the special condition application unit.

Application examples of first through third special conditions arerespectively described with reference to FIGS. 11 through 13 .

FIG. 11 illustrates the application example of the first specialcondition. The first special condition is that the target grantee is tobe additionally authenticated. If the application of the specialcondition is determined in step S40, a notification indicating that thetarget grantee is to be additionally authenticated is issued to thetarget grantee in step S42. In step S44, the target grantee isadditionally authenticated.

The additional authentication is performed in addition to basicauthentication. The basic authentication is initial authenticationperformed at a login on the information processing system. Theadditional authentication is performed using biometric authentication orusing a mobile phone. The biometric authentication may be, for example,fingerprint authentication. Alternatively, a one-time password may betransmitted to the mobile phone and then the user may be requested toenter the password.

In step S45, the additional authentication is determined to besuccessfully completed. If the additional authentication is successfullycompleted, the access right is granted in step S46. If the additionalauthentication is not successfully completed, the access managementapparatus determines in step S48 that the access right is to be denied.If the double authentication is satisfied, the access right is grantedbecause the possibility of spoofing is lower.

After the notification in step S42, the execution of the additionalauthentication may be requested within a specific period of time. Insuch a case, the length of the specific period of time may be determinedin view of the situation where the target grantee has difficultyimmediately responding to the notification. The notification may be puton hold before the login and may then be transmitted to the targetgrantee after the login.

FIG. 12 illustrates the application example of the second specialcondition. Referring to FIG. 12 , operations identical to the operationsin FIG. 11 are designated with the same step numbers and the discussionthereof is omitted herein. The same is true of FIG. 13 described below.

The second special condition is that a target grantee (user) and aperson concerned (a specific employee belonging a company, typically agrant requester) are in the same room to be granted the access right.Specifically, if the application of the special condition is determinedin step S40, the access management apparatus requests in step S50, fromthe entry and exit management system, information that is used todetermine whether the target grantee and the person concerned are in thesame room. In step S52, in response to the information from the entryand exit management system, the access management apparatus determineswhether the target grantee and the person concerned are in the sameroom.

If the target grantee and the person concerned are in the same room, thetarget grantee is granted the access right in step S46. If the targetgrantee and the person concerned are not in the same room, the accessmanagement apparatus determines in step S48 that the target grantee isto be denied the access right. After the operation in step S46, thetarget grantee and the person concerned are monitored about whether thetarget grantee and the person concerned remain in the same room. If theaccess management apparatus determines in step S51 that the targetgrantee or the person concerned has exited, the access right iscancelled in step S52. In this case, the target grantee and the personconcerned may be notified of the cancellation.

If the target grantee and the person concerned are determined to be inthe same room, the person concerned may be expected to monitor thetarget grantee. In view of this, the target grantee is granted theaccess right. If the person concerned may not be expected to monitor thetarget grantee any longer, the access right is cancelled. To determinewhether the target grantee and the person concerned are in the sameroom, an employee identification (ID) acquired from the personnel systemand a visitor ID acquired from the visitor system may be used. Theaccess right may be granted if the target grantee and the personconcerned are in the same compartment. The concept of the compartmentincludes a room, workshop, or the like.

FIG. 13 illustrates the application example of the third specialcondition. The third special condition is that the user is to beapproved by an approver having approval authority in the company for theuser to be granted the access right.

When the application of the special condition is determined in step S40,the approver is identified in step S54. For example, the approver may beidentified on a per project basis or in accordance with the post of theapprover in the company. A person having logged in may be selected fromamong multiple persons having approval authority in the company andidentified as an approver. The approver may be identified in a randomfashion. The approver may typically be higher in position than thetarget granter in the company.

In step S56, the approver is enquired of whether to approve. If theapprover has approved the target grantee in step S58, the target granteeis granted the access right in step S46. If the approver has notapproved the target grantee in step S58, the access management apparatusdetermines in step S48 that the target grantee is not to be granted theaccess right.

The application of the third special condition may improve informationaccessibility more than when all approval is automatically performed orthe application of the third special condition may reduce more workloadinvolved in the approval than when all approval is performed personally.By applying one of the special conditions, both information security andinformation accessibility may be ensured at the same time. Multiplespecial conditions may be concurrently applied.

FIG. 14 illustrates an access management apparatus 28B having a thirdconfiguration example. The access manager 38B in the access managementapparatus 28B includes a reporter 78. After the access right is issued,the reporter 78 monitors a access granted in accordance with the accessright, specifically, an access of a specific user to specific data,generates a report (monitoring information), and provides the report toa grant requester. The grant requester is a person who has requested theaccess right.

Specific process of the reporter 78 is described herein. The reporter 78constantly monitors accessing to files Fa and Fb serving as managementtargets. If an outside worker (user) granted the access right accesses,using the external terminal apparatus 14, the file Fa related to theaccess right (see step S60), the reporter 78 recognizes the access (seestep S62). Specifically, an accessor (the external terminal apparatus 14having accessed the file Fa), the file Fa serving as an access target,and access start time are identified. The reporter 78 generates thereport in accordance with these pieces of information and transmits thereport to a person having requested the access right grant, namely, auser of the in-house terminal apparatus 20 (see step S64). The report isdisplayed on a screen of the in-house terminal apparatus 20. The file Fabeing accessed by the user may be displayed on the screen.

The third configuration example improves information security in apost-grant time period by monitoring accessing after the access right isgranted. The use of a combination of the first and third configurationexamples or a combination of the second and third configuration examplesmay be acceptable.

FIG. 15 illustrates a report display example. The report display exampleincludes multiple display regions, namely, display regions 82 and 84 onthe screen of the in-house terminal apparatus 20. The display region 84is a message display region used to chat. The display region 84 displaysmultiple messages 86 arranged vertically and chronologically. A specificmessage 88 corresponds to a report. The report includes informationindicating the date and time of an access start, information indicatingan accessor, and information indicating a file serving as an accesstarget. Not only the access start date and time but also access end dateand time may be displayed on the screen. The display region 84 serves asan access log display region. The display region 82 may display a fileon which the user is working. In such a case, the contents of work maybe monitored. Unscrupulous action may be controlled by monitoring theaccessing.

Time management of the access right is described with reference to FIG.16 . As illustrated in an example 1 in FIG. 16 , an access requester mayspecify the start time and end time of the access right (denoted byreference numeral 90). As illustrated in an example 2, a time periodfrom a login to a logout may be specified as the effective period of theaccess right (as denoted by reference numeral 92). In such a case, whenthe login is performed again, the access right grant request may be madeagain. As illustrated in an example 3, a work period may be specified asthe effective period of the access right (as denoted by a referencenumeral 94). The effective period of the access right may be determinedaccording to another criterion.

FIG. 17 illustrates an example of access control performed in accordancewith a difference. A difference D denoted by reference numeral 96corresponds to results obtained by subtracting the confidentiality scoreS from the reliability score T in FIG. 17 . Column denoted by referencenumeral 98 lists whether the access is granted or not. Column denoted byreference numeral 100 lists a measure (usage restriction measure) thatis applied during data usage.

For example, if relationship D1=2, D2=0, D3=−1, and D4=−2, and D≥D1 orD1>D≥D2 holds true (in this case, D is 0 or a positive integer), thebasic condition is satisfied and the access is granted. Specifically,the access right is issued. However, if relationship D1>D≥D2 issatisfied, in other words, if a positive gap is smaller, a measure A isapplied. For example, the measure A is access monitoring and a report isprovided to the grant requester.

If relationship D2>D≥D3 or D3>D≥D4 holds true (D is a negative integer),the special condition is applied. A determination as to whether thespecial condition is satisfied is made. If the special condition issatisfied, the access is granted and the access right is issued.However, if the relationship D2>D≥D3 holds true, in other words, if anegative gap is smaller, the measure A is applied. If the relationshipD3>D≥D4 holds true, in other words, if the negative gap is larger, themeasures A and B are concurrently applied. For example, the measure Brestricts the effective period of the access right to a shorter period.If relationship D4>D holds true, no access right is granted. A measureother than the measures A and B may be applied. For example, fileoperation contents may be modified in view of the magnitude or sign ofthe gap.

The condition on the access right grant may be modified depending on themagnitude of the positive gap. For example, if the positive gap islarger, the effective period may be set to be indefinite. The number ofthe special conditions applied may be modified depending on themagnitude of the negative gap. For example, if the negative gap islarger, the same room condition and approval condition may be used asthe special conditions.

In the embodiments above, the term “processor” refers to hardware in abroad sense. Examples of the processor include general processors (e.g.,CPU: Central Processing Unit) and dedicated processors (e.g., GPU:Graphics Processing Unit, ASIC: Application Specific Integrated Circuit,FPGA: Field Programmable Gate Array, and programmable logic device). Inthe embodiments above, the term “processor” is broad enough to encompassone processor or plural processors in collaboration which are locatedphysically apart from each other but may work cooperatively. The orderof operations of the processor is not limited to one described in theembodiments above, and may be changed.

The foregoing description of the exemplary embodiments of the presentdisclosure has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit thedisclosure to the precise forms disclosed. Obviously, many modificationsand variations will be apparent to practitioners skilled in the art. Theembodiments were chosen and described in order to best explain theprinciples of the disclosure and its practical applications, therebyenabling others skilled in the art to understand the disclosure forvarious embodiments and with the various modifications as are suited tothe particular use contemplated. It is intended that the scope of thedisclosure be defined by the following claims and their equivalents.

What is claimed is:
 1. An access management apparatus comprising: amemory storing data; and a processor configured to manage an access of auser to the data in accordance with a confidentiality score of the dataand a reliability score of the user.
 2. The access management apparatusaccording to claim 1, wherein the processor is configured to grant theuser the access to the data if the confidentiality score and thereliability score satisfy a basic condition.
 3. The access managementapparatus according to claim 2, wherein the processor is configured togrant the user the access to the data if a special condition issatisfied with the basic condition unsatisfied.
 4. The access managementapparatus according to claim 3, wherein the special condition is thatthe user and a person concerned are in a same compartment.
 5. The accessmanagement apparatus according to claim 4, wherein the data is owned bya company, wherein the user does not belong to the company, and whereinthe person concerned belongs to the company and performs a job togetherwith the user.
 6. The access management apparatus according to claim 3,wherein the special condition is that not only basic authentication butalso additional authentication are established with the user.
 7. Theaccess management apparatus according to claim 3, wherein the data isowned by a company, wherein the user does not belong to the company, andwherein the special condition is that the user is to be granted theaccess to the data by an approver belonging to the company.
 8. Theaccess management apparatus according to claim 1, wherein the processoris configured to apply a monitoring measure to monitor the access of theuser to the data when the user is granted the access to the data.
 9. Theaccess management apparatus according to claim 8, wherein the processoris configured to, as the monitoring measure, generate monitoringinformation indicating the access of the user to the data and providethe monitoring information to a person concerned.
 10. The accessmanagement apparatus according to claim 9, wherein the data is owned bya company, wherein the user does not belong to the company, and whereinthe person concerned belongs to the company.
 11. The access managementapparatus according to claim 1, wherein the processor is configured to:calculate a difference between the confidentiality score and thereliability score; and modify contents of a measure that manages theaccess of the user to the data in accordance with a magnitude of thedifference.
 12. A non-transitory computer readable medium storing aprogram causing a computer to execute a process causing the computer tooperate as an access management apparatus, the process comprising:managing an access of a user to data in accordance with aconfidentiality score of the data and a reliability score of the user.13. An access management method comprising: storing data on a memory;and managing an access of a user to the data in accordance with aconfidentiality score of the data and a reliability score of the user.